RE: What's going on here?
From: NESTING, DAVID M (SBCSI) (dn3723@sbc.com)Date: 08/26/02
- Previous message: Netw3 Security Research: "TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"
- Maybe in reply to: Jackie: "What's going on here?"
- Next in thread: Yonatan Bokovza: "RE: What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com> To: "'Jackie'" <JackieJ@Syllables.com>, incidents@securityfocus.com Date: Mon, 26 Aug 2002 11:26:10 -0500
It's possible you have a client on your network attempting to access a
mis-configured web server farm. Normally requests would go to a front-door
server and get NAT'd back to another set of servers to actually handle the
request. For some reason, the responses from these servers are not getting
NAT'd back to the original source address so they appear as spurious packets
from a private address space on port 80.
David
-----Original Message-----
From: Jackie [mailto:JackieJ@Syllables.com]
Sent: Friday, August 23, 2002 18:57
To: incidents@securityfocus.com
Subject: What's going on here?
ZoneAlarm reported this burst, all from port 80 on a reserved IP
block. What the honk's going on?
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Netw3 Security Research: "TCP 6129 - Dameware, TCP 17890 IIS.EXE, SVR1984.exe - Team Liquid"
- Maybe in reply to: Jackie: "What's going on here?"
- Next in thread: Yonatan Bokovza: "RE: What's going on here?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
